Administration guide > Secure the deployment environment > Tutorial: Security in a mixed environment
Secure the deployment environment > Tutorial: Integrate WebSphere eXtreme Scale security in a mixed environment with an external authenticator >
Introduction: Security in a mixed environment
In this tutorial, you integrate WebSphere eXtreme Scale security in a mixed environment. The container servers run within WAS, and the catalog service runs in stand-alone mode. Because the catalog server is in stand-alone mode, configure an external authenticator.
If both the container servers and catalog server are running within WAS, you can use the WAS Authentication plug-ins or an external authenticator. For more information about using the WAS Authentication plug-ins, see Tutorial: Integrate WebSphere eXtreme Scale security with WAS.
Learning objectives
The learning objectives for this tutorial follow:
- Configure WebSphere eXtreme Scale to use the KeyStoreLoginAuthenticator plug-in
- Configure WebSphere eXtreme Scale transport security to use WAS CSIv2 configuration and the WebSphere eXtreme Scale properties file
- Use Java™ Authentication and Authorization Service (JAAS) authorization in WAS
- Use the xsadmin tool to monitor the data grids and maps that you created in the tutorial.
Time required
This tutorial takes approximately 4 hours from start to finish.
Skill level
Intermediate.
Audience
Developers and administrators that are interested in the security integration between WebSphere eXtreme Scale and WAS and configuring external authenticators.
System requirements
- WAS v6.1 or v7.0.0.11 or later with the following fixes applied:interim fix PM20613 and interim fix PM15818.
- WebSphere eXtreme Scale v7.0 or v7.1. The catalog server must be running on a stand-alone installation, not an installation that is integrated with WAS.
- Update the Java runtime to apply the following fix: IZ79819: IBMJDK FAILS TO READ PRINCIPAL STATEMENT WITH WHITESPACE FROM SECURITY FILE
- The stand-alone node that runs the catalog service must use the IBM Software Development Kit v1.6 J9. This Software Development Kit is included in the WAS installation. The catalog server node must be a stand-alone installation because you cannot run the startOgServer command within an installation of WebSphere eXtreme Scale on WAS.
This tutorial uses four WAS application servers and one deployment manager to demonstrate the sample.
Prerequisites
A basic understanding of the following items is helpful before you start this tutorial:
- WebSphere eXtreme Scale programming model
- Basic WebSphere eXtreme Scale security concepts
- Basic WAS security concepts
For a background information about WebSphere eXtreme Scale and WAS security integration, see Security integration with WAS.
Modules in this tutorial
- Module 1: Prepare the mixed WAS and stand-alone environment
Before you start the tutorial, create a basic topology that includes container servers that run within WAS. In this tutorial, the catalog servers run in stand-alone mode.
- Module 2: Configure WebSphere eXtreme Scale authentication in a mixed environment
By configuring authentication, you can reliably determine the identity of the requester. WebSphere eXtreme Scale supports both client-to-server and server-to-server authentication.
- Module 3: Configure transport security
Configure transport security to secure data transfer between the clients and servers in the configuration.
- Module 4: Use Java Authentication and Authorization Service (JAAS) authorization in WAS
Now that you have configured authentication for clients, you can further configure authorization to give different users varying permissions. For example, an "operator" user might only be able to view data, while a "manager" user can perform all operations.
- Module 2: Configure WebSphere eXtreme Scale to use WAS Authentication plug-ins
After you have created the WAS configuration, you can integrate WebSphere eXtreme Scale authentication with WAS.
- Module 4: Use Java Authentication and Authorization Service (JAAS) authorization in WAS
Now that you have configured authentication for clients, you can further configure authentication to give different users varying permissions. For example, an operator user might only be able to view data, while an administrator user can perform all operations.